From nobody Tue Oct 05 14:42:25 2021
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B0FCA12B8BA8;
	Tue,  5 Oct 2021 14:42:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HP0fn4XdSz3Jgh;
	Tue,  5 Oct 2021 14:42:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7BF37653C;
	Tue,  5 Oct 2021 14:42:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 195EgPhu015562;
	Tue, 5 Oct 2021 14:42:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 195EgPQQ015561;
	Tue, 5 Oct 2021 14:42:25 GMT
	(envelope-from git)
Date: Tue, 5 Oct 2021 14:42:25 GMT
Message-Id: <202110051442.195EgPQQ015561@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-branches@FreeBSD.org
From: Charlie Li <vishwin@FreeBSD.org>
Subject: git: 929ee09863ac - 2021Q4 - security/py-cryptography: support LibreSSL 3.4.0
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: vishwin
X-Git-Repository: ports
X-Git-Refname: refs/heads/2021Q4
X-Git-Reftype: branch
X-Git-Commit: 929ee09863ac5d39c67651314006375ff5f2549c
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch 2021Q4 has been updated by vishwin:

URL: https://cgit.FreeBSD.org/ports/commit/?id=929ee09863ac5d39c67651314006375ff5f2549c

commit 929ee09863ac5d39c67651314006375ff5f2549c
Author:     Charlie Li <vishwin@FreeBSD.org>
AuthorDate: 2021-10-03 14:29:20 +0000
Commit:     Charlie Li <vishwin@FreeBSD.org>
CommitDate: 2021-10-05 14:41:10 +0000

    security/py-cryptography: support LibreSSL 3.4.0
    
    Merged upstream as https://github.com/pyca/cryptography/pull/6360
    and backported to this version.
    
    While here, remove remaining FreeBSD 11 cruft
    
    Approved by: fluffy (mentor), koobs (implicit: MAINTAINER_POLICY)
    Differential Revision: https://reviews.freebsd.org/D32281
    
    (cherry picked from commit 5b57210d0d0a7d74c9f8b4895907b34f2f34473d)
---
 security/py-cryptography/Makefile                  | 14 ----
 security/py-cryptography/distinfo                  |  2 -
 .../patch-src___cffi__src_openssl_cryptography.py  | 26 ------
 ...cryptography_hazmat_backends_openssl_backend.py | 29 -------
 ...-src_cryptography_hazmat_backends_openssl_ec.py | 32 -------
 ...88 => patch-Fix-build-with-LibreSSL-3.3.2-5988} |  0
 .../files/patch-Support-LibreSSL-3.4.0-6360        | 98 ++++++++++++++++++++++
 7 files changed, 98 insertions(+), 103 deletions(-)

diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
index 18d7c316f41d..daf7f3a4d732 100644
--- a/security/py-cryptography/Makefile
+++ b/security/py-cryptography/Makefile
@@ -35,20 +35,6 @@ TEST_ENV=	PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
 
 .include <bsd.port.pre.mk>
 
-# OpenSSL 1.0.2t got some curve matching parameter code backported before it
-# has reached its End-of-Life and security/py-cryptography already had some
-# code to handle this case, but it assumed OpenSSL 1.1.0+ .
-#
-# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
-# clear: It isn't a security fix but rather a workaround to handle unnamed but
-# really named curves with OpenSSL 1.0.2t/u .
-
-# We need to keep old py-cryptography and py-openssl for 11.x release
-# due to outdated OpenSSL version in base
-
-# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2
-EXTRA_PATCHES=	${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
-
 .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
 post-patch:
 	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \
diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
index d7062e6364f6..a2ec74471294 100644
--- a/security/py-cryptography/distinfo
+++ b/security/py-cryptography/distinfo
@@ -1,5 +1,3 @@
 TIMESTAMP = 1614253508
-SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
-SIZE (cryptography-2.9.2.tar.gz) = 517571
 SHA256 (cryptography-3.3.2.tar.gz) = 5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed
 SIZE (cryptography-3.3.2.tar.gz) = 539883
diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
deleted file mode 100644
index bf5d425142e6..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
+++ /dev/null
@@ -1,26 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/_cffi_src/openssl/cryptography.py.orig	2020-04-22 22:27:48 UTC
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -47,6 +47,8 @@ INCLUDES = """
-     (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
-+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
-+    (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-@@ -68,6 +70,7 @@ INCLUDES = """
- 
- TYPES = """
- static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
-+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
- 
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
deleted file mode 100644
index fc9701242a42..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
+++ /dev/null
@@ -1,29 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/backend.py.orig	2020-04-22 22:27:48 UTC
-+++ src/cryptography/hazmat/backends/openssl/backend.py
-@@ -1515,8 +1515,19 @@ class Backend(object):
- 
-     def _ec_key_new_by_curve(self, curve):
-         curve_nid = self._elliptic_curve_to_nid(curve)
-+        return self._ec_key_new_by_curve_nid(curve_nid)
-+
-+    def _ec_key_new_by_curve_nid(self, curve_nid):
-         ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
-         self.openssl_assert(ec_cdata != self._ffi.NULL)
-+        # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
-+        # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
-+        # we can remove this as it's done automatically when getting an EC_KEY
-+        # from new_by_curve_name
-+        # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
-+        self._lib.EC_KEY_set_asn1_flag(
-+            ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
-+        )
-         return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- 
-     def load_der_ocsp_request(self, data):
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
deleted file mode 100644
index 4c155c1d7b2d..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
+++ /dev/null
@@ -1,32 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/ec.py.orig	2020-04-22 22:26:51 UTC
-+++ src/cryptography/hazmat/backends/openssl/ec.py
-@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
-     # explicitly encoded a curve with the same parameters as a named curve.
-     # Don't do that.
-     if (
--        backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
-+        backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
-         backend._lib.EC_GROUP_get_asn1_flag(group) == 0
-     ):
-         raise NotImplementedError(
-@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
-         self._backend.openssl_assert(group != self._backend._ffi.NULL)
- 
-         curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
--
--        public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
--        self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
--        public_ec_key = self._backend._ffi.gc(
--            public_ec_key, self._backend._lib.EC_KEY_free
--        )
-+        public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
- 
-         point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
-         self._backend.openssl_assert(point != self._backend._ffi.NULL)
diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
similarity index 100%
rename from security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
rename to security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
new file mode 100644
index 000000000000..a8bb6dc6da43
--- /dev/null
+++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
@@ -0,0 +1,98 @@
+From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
+From: Charlie Li <vishwin@users.noreply.github.com>
+Date: Sun, 3 Oct 2021 00:20:31 -0400
+Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
+
+* Add LibreSSL 3.4.0 to CI
+
+* Add a LibreSSL 3.4.0 guard
+
+Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
+
+* DTLS_get_data_mtu does not exist in LibreSSL
+
+* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
+
+* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
+
+* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
+
+While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
+---
+ .github/workflows/ci.yml              |  6 ++++--
+ src/_cffi_src/openssl/cryptography.py |  3 +++
+ src/_cffi_src/openssl/evp.py          | 15 ++++++++++-----
+ src/_cffi_src/openssl/ssl.py          |  3 ++-
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index 878d22d8..821ddc9f 100644
+--- src/_cffi_src/openssl/cryptography.py
++++ src/_cffi_src/openssl/cryptography.py
+@@ -36,8 +36,11 @@ INCLUDES = """
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
+     (LIBRESSL_VERSION_NUMBER < 0x3030200f)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
++    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
+ #else
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
+index ab7cfeb3..cad3339a 100644
+--- src/_cffi_src/openssl/evp.py
++++ src/_cffi_src/openssl/evp.py
+@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+                                       size_t) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
+-static const long Cryptography_HAS_RAW_KEY = 0;
+-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
+                       const unsigned char *tbs, size_t) = NULL;
+ int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
+                         const unsigned char *, size_t) = NULL;
++#else
++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
++#endif
++
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++static const long Cryptography_HAS_RAW_KEY = 0;
++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
+                                        size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
+@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
+ int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
+                                    size_t *) = NULL;
+ #else
+-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+ static const long Cryptography_HAS_RAW_KEY = 1;
+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
+ #endif
+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
+index ca275e91..0830a463 100644
+--- src/_cffi_src/openssl/ssl.py
++++ src/_cffi_src/openssl/ssl.py
+@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
+ SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_TLSv1_3 = 0;
+ static const long SSL_OP_NO_TLSv1_3 = 0;
+ static const long SSL_VERIFY_POST_HANDSHAKE = 0;
+-- 
+2.32.0
+